tag:www.schneier.com,2019:/blog//2/tag:www.schneier.com,2005:/blog//2.271-2019-02-21T01:05:23ZComments for U.S. Medical Privacy Law GuttedA blog covering security and security technology.Movable Typetag:www.schneier.com,2005:/blog//2.271-comment:7797Comment from Liam Gray on 2005-07-10Liam Grayhttp://grayful.com/forum/viewtopic.php?t=4
Two issues here, one technnical and one social:

1. What if each patient permitted her health records to be stored, never on a provider's server, but only on a server controlled by the patient or by an organization of patients? On the login page, the patient could specify her own "terms of use" contract, right?

To maintain privacy, just omit any personal identifiers. A patient could generate from his record both a private, secret identifier that persists and a number of temporary identifiers that expire after a limited time or number of uses. The server could keep a log of who accesses the record and when.

2. Medical providers would cooperate with such a provision if and only if a lot of patients were to demand it and the "terms of use" were standardized.

Intrinsically, consumers face an uphill battle when trying to form a lobby in government strong enough to compete with a producers' lobby. But to take control over our own own health records seems like the sort of grassroots action that, just possibly, may not so strictly depend on regulatory coordination.

I have no particular desire to start a new patient advocacy organization. We should try to draft one. Which existing organization might serve as the hub of such a movement? Public Citizen and AARP each do some advocacy for patients; who else?

On the technical side, a term to know is "Personal Health Record" or "PHR." There are (see myphr.com) existing PHR systems available. But, like any other kind of Electronic Health Record (EHR), PHR's will be useless untill they follow standardized formats and protocols. These standards are still under development.

Apart from communications bandwidth, what are the barriers to patients storing their records on servers outside the control of providers?

Which technologies look most useful?

What are the major barriers to patients organizing?

Is there any organization which would serve as an advocate for patients' privacy? Which ones?

-Liam

]]>
2005-07-10T19:10:31Z2005-07-10T19:10:31Ztag:www.schneier.com,2005:/blog//2.271-comment:5814Comment from Jeff Drummond on 2005-06-09Jeff Drummondhttp://hipaablog.blogspot.com
Can you "gut" that which has no guts? HIPAA applies to specifically defined "covered entities," which include medical providers like hospitals and doctors, payors such as insurers and health plans, and healthcare information clearinghouses. HIPAA does not apply to anyone else. Congress could have drafted the law differently, but didn't. Congress could have said it applied to those entities and their employees, but it didn't.

Congress might pass a law that says all clean-shaven, non-bald redheads of Irish descent have to jump up and down on their left foot 30 times every morning (Scalia would probably find a Commerce Clause justification for it if he looked hard enough). If Bruce Schneier failed to get in 30 left-footed jumps this morning, that wouldn't be a violation of this law, since it doesn't apply to him. I, on the other hand, would be headed for the slammer. When a criminal law says it applies to this group of individuals and entities, it means it applies to that group of individuals and entities. I'm fairly appalled that a law professor who teaches statutory interpretation doesn't get that.

Gibson was not, and is not, a covered entity. HIPAA did not apply to him. HIPAA did apply, and does apply, to Gibson's employer; the DOJ opinion does not change that. The DOJ opinion does not get the industry out of anything; in fact it reduces the number of potential targets by eliminating from the ambit of the law the people who were not included in the ambit to begin with. The big, bad, evil "industry" is not cleared from prosecution by the DOJ opinion.

Gibson's employers had no idea he was doing what he was doing. Should the doctors for whom he worked go to jail because one of their employees stole information from them and use it to steal money from their patients? Gibson can be sent to jail for a lot of other crimes which he actually committed (since they, you know, actually apply to him). But sending him to jail for a HIPAA violation was a pretty big stretch.

There are some people who I highly respect who say that there is federal case law that allows you to prosecute people who are not in the defined group of persons covered by a statute, but there certainly is a lot of people (particularly on the American Health Lawyers Association's Health Information Technology list-serv) who disagree with that. Of course, those of us on this side of the disagreement didn't bang our spoons on our highchair trays when Gibson came down.

]]>
2005-06-09T15:02:26Z2005-06-09T15:02:26Ztag:www.schneier.com,2005:/blog//2.271-comment:5729Comment from Matthew X. Economou on 2005-06-08Matthew X. Economouhttp://web.irtnog.org/~xenophon/
You can find a complete copy of Fritz Stern's speech with a little googling:

]]>
2005-06-08T13:29:45Z2005-06-08T13:29:45Ztag:www.schneier.com,2005:/blog//2.271-comment:5690Comment from Adam Fields on 2005-06-07Adam Fieldshttp://www.aquick.org/awstats/awstats.pl?config=www.aquick.org/blog
So, what's just happened is that responsibility has been dissociated from access. That's delightful.]]>
2005-06-07T23:06:48Z2005-06-07T23:06:48Ztag:www.schneier.com,2005:/blog//2.271-comment:5681Comment from Gregory Tucker on 2005-06-07Gregory Tuckerhttp://www.gregorytucker.net/
When I read articles like this, I try to keep a level head, but my frustration mounts. What I think we have seen especially markedly since 9/11 are consistent roadblocks in a liberal legal traditions and rollbacks to rule of law. (Note: "liberal" does not mean "left-wing" in this context.) The trend applies to domestic laws as much as international commitments.

In the latest May/June 2005 issue of Foreign Affairs, there is an outstanding article by the famous German historian Fritz Stern with lessons of similar trends in pre-war NAZI Germany.

Unfortunately the entire article is not available online, but it is an excellent and enlightening read, I wish more Americans could read it. Democracy alone does not protect citizens from autocrats; in Egypt and elsewhere there are examples of democratically elected dictators. Singapore and Hong Kong have shown that the respect for rule of law offers more protection, even when democratic credentials are weak. I fear that in the U.S. we are losing even this bedrock of our governance.

]]>
2005-06-07T21:36:12Z2005-06-07T21:36:12Ztag:www.schneier.com,2005:/blog//2.271-comment:5679Comment from Davi Ottenheimer on 2005-06-07Davi Ottenheimerhttp://davi.poetry.org/
@linnen
Agreed! But prosecution might be turned on its head without fair regulation(s). In fact, even past prosecution may be undone if the the relevant regulation(s) are later found to be unfair. Swire makes a sage point that "there are ways to criminalize clearly bad behavior while reassuring ordinary health care employees that they will not be subject to prosecution. When there is enforcement against the bad actors, then the good persons in every organization have more leverage to insist on doing things right." Sometimes just the fear of (effective) prosecution is what makes regulation work, which I think somehow takes us back to Bruce's log entry about Counterfeiting in the Sudan... ]]>
2005-06-07T21:14:37Z2005-06-07T21:14:37Ztag:www.schneier.com,2005:/blog//2.271-comment:5675Comment from linnen on 2005-06-07linnen
@ Davi

You might find that fair prosecution ( like well crafted regulation ) depends on which side of the fence you are standing.
If Industry X is under regulations which delimit its behavior, no amount of crafting will render these regulations as proper unless the regulations are in the Industry's favor. And any prosecution of adverse regulation will be considered unfair.

]]>
2005-06-07T20:19:09Z2005-06-07T20:19:09Ztag:www.schneier.com,2005:/blog//2.271-comment:5672Comment from Davi Ottenheimer on 2005-06-07Davi Ottenheimerhttp://davi.poetry.org/
I thought Robert M. Gellman put it best, as quoted in the NYT article:

"Under this decision, a tremendous amount of conduct that is clearly wrong will fall outside the criminal penalties of the statute."

Are you still a criminal if you are engaging in criminal behavior but can not be prosecuted?

Ironic that the current Administration aligns with large corporations who want to deregulate the market, yet at the same time calls for far more regulation over individual rights. The Bush stump speakers seem to say bad laws hurt competition, and therefore no laws are good for the market, which precipitates an overall weakening of individual freedoms and protections against government and its industry partners.

@Bruce

"Reguations are regulations, but it's prosecution that makes a difference."

You might find that fair prosecution comes naturally with properly crafted regulation, so there is definitely a balance between the two.

Regulators are frequently given substantial latitude in deciding how to implement the law. This is one reason that entities subject to actual or potential regulatory oversight like to see "industry participation" in regulatory bodies, and why consumer groups (for example) often like to see citizen participation increased.

]]>
2005-06-07T19:21:21Z2005-06-07T19:21:21Ztag:www.schneier.com,2005:/blog//2.271-comment:5666Comment from piglet on 2005-06-07piglet
Two things I find puzzling. First, how can the Justice Department change statutory law? Second, what's the connection between the possible punishment of the hospital employee and the possible liability of the employer? What difference does it make to the hospital whether its employee can be prosecuted or not? ]]>
2005-06-07T18:48:55Z2005-06-07T18:48:55Ztag:www.schneier.com,2005:/blog//2.271-comment:5664Comment from Bruce Schneier on 2005-06-07Bruce Schneierhttp://www.schneier.com/blog
Actually, taking a wait-and-see attitude is perfectly rational. Why should a health care company spend millions protecting privacy if there are no penalties for not? Reguations are regulations, but it's prosecution that makes a difference. And zero prosecutions in 13,000 complaints is a telling fact that health-care companies understand.]]>
2005-06-07T18:41:35Z2005-06-07T18:41:35Ztag:www.schneier.com,2005:/blog//2.271-comment:5663Comment from Aqualung on 2005-06-07Aqualung
@Gregory,

Still, Mr. Gibson should also be held accountable for violating HIPAA (on top of the other criminal charges) personally, even if his employer wasn't responsible (ie. that he didn't have access to information that he shouldn't have had; taking into consideration the duties & responsibilities of his position)

And as we're seeing, maybe those other industries that hold substantial amounts of personal data could do with some HIPAA-like legislation as well.

]]>
2005-06-07T18:40:25Z2005-06-07T18:40:25Ztag:www.schneier.com,2005:/blog//2.271-comment:5662Comment from elamb on 2005-06-07elambhttp://elamb.org
I think it will take a while for the Health care community to realize the importance of enforcing laws to protect patient privacy. Sometimes it takes a disaster for industries to wake up and realize the true nature of a threats. And that is too bad. ]]>
2005-06-07T18:33:46Z2005-06-07T18:33:46Ztag:www.schneier.com,2005:/blog//2.271-comment:5661Comment from Chris Walsh on 2005-06-07Chris Walsh
"If the administration doesn't believe that we need to follow its medical data privacy rules, what makes you think they're following the FISA rules?"

A: Not a thing, particularly when they are working to extend the powers of the executive branch to conduct domestic surveillance, while simultaneously attempting to curtail the ability of the judicial branch to review these activities.

The concept of checks (or in audit parlance, "controls") and balances seems to be lost on today's executive branch.

To my mind, this betrays a profoundly pessimistic vision. Even a zealot convinced of his own infallibility should want to limit the potential bad effects of future, fallible, zealots, unless the future is so discounted as to be irrelevant to today's calculations. Such pessimism (or is it myopia?) is cause for concern.

]]>
2005-06-07T18:22:52Z2005-06-07T18:22:52Ztag:www.schneier.com,2005:/blog//2.271-comment:5659Comment from Bruce Schneier on 2005-06-07Bruce Schneierhttp://www.schneier.com/blog
Read Swire's column. He believes that Gibson can be charged under other statues, but that other privacy violations might not be.

And he makes a persuasive argument that the criminal penalties against organizations are irrelevant. It's rare that corporate policy includes stealing patient credit card numbers.

]]>
2005-06-07T18:10:56Z2005-06-07T18:10:56Ztag:www.schneier.com,2005:/blog//2.271-comment:5658Comment from Gregory Tucker on 2005-06-07Gregory Tuckerhttp://www.gregorytucker.net/
There is no reason to panic just yet. The criminal statutes remain, and will still serve a deterrent effect to those to write the hospital policies, or those who fail to carry out the policies on behalf of the hospital.

In the case of Mr. Gibson, clearly his actions were not on behalf of the hospital. He can still be charged under other statutes pertaining to fraud and identity theft.

One could argue that it is unfair to apply stricter standards to hospital employees compared to employees of other companies that hold the same or more personal data, such as insurers, banks, brokerages, personal data aggregators, or even dentist offices.

]]>
2005-06-07T18:07:00Z2005-06-07T18:07:00Ztag:www.schneier.com,2005:/blog//2.271-comment:5657Comment from Israel Torres on 2005-06-07Israel Torreshttp://blog.israeltorres.org
With all this flux in privacy and security it is no wonder that we recently were informed that for quite a while convicted sex offenders were getting free viagra.